Faux-CNN Spam Blitz Delivers Malicious Flash 213
CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."
Ahhh, that explains it (Score:5, Interesting)
I was wondering why I being spammed with such a seemingly innocuous message, I thought perhaps it was just a filter poisoning attempt.
Re: (Score:2)
I have about a hundred in my spam box, they were all addressed to a contact name on a websites I maintain. None were sent to either personal address or the protected email address listed elsewhere on one site I have.
I did receive them on the corporate level and can only assume to name they spoofed allowed them to broadcast to all notes users... then again knowing some of my co-workers
Re: (Score:3, Funny)
Ugggh! (Score:3, Funny)
innocuous message??? (Score:2)
I got 7 of these in my Google Spam folder on August 5th. None of them look remotely like spam. You can VERY EASILY see that the links don't point to cnn.com by OnMouseOvering the links when reading them in Google's client.
That being said, I am not sure if legit CNN.com e-mails are going to start getting flagged (not that I think many people would let CNN.com deliver them "news" in the first place) but CNN.com itself is a disaster-pot of obnoxious Flash ads with Dancing Mortgage rates and Spinning Whirl
Re: (Score:3, Interesting)
I got one of these (Score:5, Informative)
it took me quite a while to figure out why this would be effective spam.
Then I had a look a the HTML view. Quite insidious.
It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.
Re: (Score:2)
I checked and yep, there's tons of copies of this email in my spam folder. The alleged CNN headlines, differing from mail to mail, are awesome.
4. Bill Clinton Regrets, 'I Am Not a Racist'
2. Bill Clinton and Monika seen again
5. Angry, late, tired passengers make computers crash
7. Celebrity was seen naked on the beach
7. Drunken Man Can't Erase Arrest
3. Michael Jackson is sued by his own dog
Olympics-Wear ox pendant to avoid rat clashes, leaders
9. Obama beats McCain
Re: (Score:2)
They're just spamming everyone. However, I'd guess it's pretty easy for someone as large as gmail to filter - there are only a handful of compromised domains that it's serving on.
Does anyone know if the site itself exploits any browser loopholes? The descriptions all say you have to download an executable, but I'm surprised they haven't put some exploits in there for drive-by attacks.
Faux-CNN Spam Blitz Delivers Malicious Flash? (Score:2)
More like "Faux-CNN Spam Wolf Blitzer Delivers Malicious Flash"!
Re:Faux-CNN Spam Blitz Delivers Malicious Flash? (Score:5, Funny)
Pleas God, no. Nobody wants Wolf flashing us.
IE7 Scam (Score:5, Funny)
There is another similar one pushing 'IE 7 is now available for download' from 'Microsoft'.
ya.. right...
Facebook, too? (Score:2, Informative)
Re: (Score:2, Informative)
Lawsuit? (Score:5, Insightful)
Too bad nobody is ever going to find the folks responsible for this. Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today? Next week? It wouldn't surprise me if CNN.com ad rates took a nosedive because of this as well. Who wants to go to "the spammer" web site?
This is the sort of extremely bad PR that CNN would be well within their rights to sue the pants off of whoever started this nonsense. Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws or what people think about spam. Also, how exactly would you prove where it came from?
Hope someone is getting paid real good for this. I don't think this can put CNN out of business, but it is certainly going to hurt real bad.
Re:Lawsuit? (Score:5, Insightful)
Considering how difficult and expensive it is to track down, indict and convict spammers and malware peddlers (not to mention they later tend to escape and commit suicide), I doubt CNN has the time or energy to do this.
You're never going to fix people's stupidity, which is ultimately the root of the problem.
Re: (Score:2)
CNN and AOL are both owned by Time Warner, and AOL has tracked down and successfully prosecuted a number of spammers before. The size and level of publicity behind this spam attack might make it worth CNN's while to pursue.
Re:Lawsuit? (Score:4, Interesting)
It's certainly a good advertisement for digitally signed email.
I realise digital signatures are still beyond the reach of most people that use email, but for those of us that actually know what they are and how to use them, it's a pretty decent solution to this problem - at least for people that want to receive email from CNN.
1) Sign up to CNN for emails
2) Enter your public key in your CNN alerts profile
3) Configure your mail client in such a way as to only accept email purporting to be from CNN that is digitally signed
4) Any email from CNN that is digitally signed, verify the signature - if it matches, accept it, if it doesn't, throw it in the spam pile.
Re: (Score:2)
An even better solution would be to simply use RSS.
Problem solved (until hackers use the DNS attack to feed you an RSS feed with modified links. Nothing is fool-proof).
PKI for email will take off once regular email becomes useless. So in that sense, we should be rooting for the spammers.
Re: (Score:2)
That's an awful lot of effort for what is essentially a piece of e-mail that is visually identical to the CNN home page. Why not just go there instead?
Re: (Score:2)
I never watch or listen to CNN - it is not available on any channel on my TV and I am not interested in it.
I would put any email from CNN straight into the bin. So spammers trying to impersonate CNN are going to get exactly the same treatment.
So spammers - keep impersonating the firms I don't care about (and that's almost all of them).
Re: (Score:2)
Forwarded articles should go to the trash any way, if I wanted to read it I'd go to the site.
Re: (Score:2)
No mod points today but I love simple and effective. This meets both standards.
Re: (Score:2)
They've also got this neat feature called RSS, where you can subscribe to stuff that you actually want.
Re:Lawsuit? - Not a chance. (Score:2)
Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws....
Well, that covers most of the world then.
....or what people think about spam.
True, but it is probably an accurate statement to say that spammers don't care what people think about spam.
Re: (Score:2)
Which actually means squat, in many cases.
Most of the "bank" e-mail I've seen is outsourced and the links also go to the original provider, redirecting to the bank later. Unless you're familiar with the companies involved, telling a real bank e-mail from a phish is incredibly difficult.
Google Mail (Score:2)
I've received nine of these (in just a few hours) on my usual (university) email address. But google mail keeps telling me about them, instead of marking them as spam or phishing and just moving them out of the way. Worse yet it leaves them on my (university) mail server which has an absurdly low quota - so I'll have to remove them manually. This means I need to deal with this crap twice - once when google mail tells me it won't give it to me and once when I need to login to the server and manually de
Re: (Score:2)
Nope. Can't. Google says there is a virus and so it was left on the server. Is there a way to change that?
Re: (Score:2)
I'd prefer that gmail accept the mail from the server and mark it as spam/phishing/whatever. I'd also like to be able to set a preference that allows me to decide that "yes, I would like to download that" and have gmail give it to me in a packed up format that I'd have to unpack somehow - just to make it hard for someone to inadvertently run the thing.
Lessons Learned (Score:4, Insightful)
Re: (Score:2)
Make that "Companies doing business on the web without basic spam filters in place". Our mailservers all run Spamassassin which easily recognized and tagged these as spam: score=8.449 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_DYNAMIC_DHCP=1.398, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, SARE_MONEYTERMS=0.681]. Companies that can't even manage to implement basic spam filters are at a competitve disadvantage. Those that curtail their emai
Re: (Score:3, Insightful)
Dude, spamassassin didn't recognize that message as spam.
DNS_FROM_OPENWHOIS, HELO_DYNAMIC_DHCP, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_PBL,RCVD_IN_XBL, and RDNS_NONE are origin checks, not message checks. (Well, the helo isn't technically, but forging it would be worse than correctly stating the dynamic IP.)
According to the message checks, that message scored BAYES_50=0.001 and HTML_MESSAGE=0.001 using standard spamassassin checks, and SARE_MONEYTERMS=0.681 from the very nice SAREs checks that smart mail admin i
Re: (Score:3, Informative)
The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.
Partially correct, but you're forgetting that headers _are_ content as much as the body, and any properly configured Spamassassin takes full advantage of RBLs, RHSBLs, and CBLs to identify spam (as much as any other signature). On this (well configured) server anything above 6.0 is discarded, yielding no false positives and rare false negatives (~2 per week per account). Sure it would have scored higher if it had better analyzed the hrefs, but the point is that it recognized the messages as spam.
Re: (Score:3, Insightful)
The majority of your spam ranking scores depend on some third party real time blacklisting services. My mail servers p
Re: (Score:3, Insightful)
No - it is phishing - the social engineering kind, and it has nothing to do with the security of Adobe Flash. It just fools the user into thinking he is going to download a new Flash player, but he ends up with a virus. I suppose you didn't RTFA.
What, no CNN link? (Score:4, Funny)
I can see the headline now: "We're not spamming you (really)"
Must be a slow day at slashdot... (Score:3, Insightful)
A trojan-horse application is being delivered by email, masquerading as content from a major corporation.
This is news? We're supposed to be surprised?
The *real* story... (Score:2)
Is that CNN's "Crack Team of Reporters" can't discover the responsible parties.
The future of Malware? (Score:5, Interesting)
Cross-posted from my journal.
And now we have the latest malware wave [slashdot.org], where 1000+ legitimate sites have been hacked to serve a fake Flash player. This is going to seriously hurt CNN's reputation (and ad revenue), as a lot of folks are going to set their mail servers to delete stuff that even mentions CNN. Worse yet, it's going to put a serious hurting on the 1000+ hacked sites: CNN has enough goodwill and trust built up that it will survive the onslaught, but the "other victims" may end up blacklisted by a lot of folks.
Most malware authors have learned not to crap in their own bed: the days of a virus that wiped your files are fading; now we have malware that more-or-less uses your files alone, but uses your connection to send spam or do DoS attacks. If they make the attack less blatant, it's less likely to be discovered and cleaned up.
While the malware authors may be trying to stay quiet on the PC, they sure don't mind hurting companies ... and that hurts the internet as a whole. As much as some in the geek community may dislike it, the Internet is payed for by commerce--internet sales, services, and subscriptions indirectly pay for the infrastructure we all use. If these small companies are hurt by spammers and malware authors, then the small companies may be less willing to maintain an internet presence--which means there will be less people who pay the ISPs to maintain and improve the infrastructure.
There are a lot of contingent statements in the above paragraph, and maybe I'm getting more worried than I should be, but I have to wonder: how long will it be until spammers, scammers, and other low-grade shits ruin the Internet for everyone?
Re: (Score:2)
I think Flash takes the hit, and maybe video news delivery as well. But to be honest, what's the great loss? I like CNN and have it bookmarked, but nothing is more irritating than a story that is video only. Unless the story is visually compelling, there is no need to waste so much bandwidth.
Re: (Score:2)
I'd be more concerned about the internet being ruined by net partisaniality (for lack of a better term -- what exactly is the opposite of net neutrality?). The internet ceasing to be a content-agnostic delivery system for bits would be the real tragedy.
As far as spa
Re: (Score:3, Interesting)
The internet ceasing to be a content-agnostic delivery system for bits would be the real tragedy.
This is starting to wander off-topic, but the Internet has never been "content agnostic"--and the WWW is even less so. At least since the advent of the "commercial Internet," and even to some extent on the pre-commercial "academic internet," content (and locations) is vetted by the administrators of the various service providers. Back in the days of the academic Internet--your sysop doesn't like netnews? He can tell the college administrators "It's full of porn," block port 119, and there's not a damn thing
Re: (Score:2)
Problem is the "goodies" aren't doing anything while the "baddies" are very, very active in making themselves known. All that is required is for the "baddies" to win - make the Internet unusable - is for the current situation to continue.
Sourceforge harvested, gmail bounced it (Score:4, Funny)
This spam helped me find a bug in my procmail recipe - this was sent to my Sourceforge email address (never had spam there before), and was forwarded on to Google which bounced it as an illegal attachment. Kudos to Google for being on the ball.
The 1,200 recursive bounce messages that ensued were no-one's fault but my own. :)
What Malicious Email? (Score:2)
I haven't received a single one. This is why I run my own mail server. I don't trust other people to do a good job.
Without looking at the logs, my guess is the Zen list from Spamhaus.org is doing the good work here.
Linux Sux (Score:5, Funny)
How am I supposed to see the CNN videos if they don't make a linux version? Linux sux, I'm going back to windows.
Spam, spam, spam, spam... (Score:3, Interesting)
This is a REALLY aggressive spam campaign. I never received a message with the subject of "CNN.com Daily Top 10" until 2 days ago at 1:49 PM. Since then, I have received 1,799 of these messages and counting. Of course, I get spammed to death already -- my email address (deven@ties.org) has been public for many years, and I don't even hide it here on Slashdot, even though it really is my primary email address. Spam has grown to the point where I am receiving over 10,000 messages every single day. (Yes, that's about a million messages in 3 months.)
On a separate note, I received an email yesterday with the title "Action required to avoid account access interruption" -- and it was actually a legitimate email! I receive such emails daily from phishing attempts, but this one was actually sent to me by TD Ameritrade.
It's a sad state of affairs when it's the legitimate email that comes as a surprise.
Mail reader flaw (Score:4, Interesting)
Why don't all mail readers which display html simply do what Slashdot does - show the real site linked to in brackets next to whatever text is in the link, like "cnn.com [http://somewhere.de]" - perhaps with highlighting when both look like urls, but they don't match? That would kill so many phishing attempts.
Re: (Score:2)
Settings for Outlook (Score:3, Informative)
So I set Outlook to always show plain text versions of all emails. This has provided two benefits:
1) Much faster message display
2) Malicious emails are easier to spot
In this case it was a while bunch of links where the text was http://x.cnn.com/ but the actual href was http://seomthing.de.
In Outlook 2007: Tools - Trust Center - E-Mail Security - Read all standard mail in plain text.
Re: (Score:2)
Indeed, HTML mail is a WTF in itself. But not so bad a WTF as even contemplating using Outlook.
Not Flash (Score:3, Informative)
Just to be clear, users are downloading malicious software that is posing as the Flash Player. "Malicious Flash", to me, means Flash content (a SWF) that uses a vulnerability in the Flash Player to compromise a user's system. While Flash hasn't had a spotless security record, I don't know of any instances where a vulnerability in the Flash Player has been exploited on a scale such as this. In the past few years, Adobe has really strived to make Flash Player much more secure. Were this to be an actual case of "malicious Flash", I think it would be a big PR problem for Adobe and make end users extra wary of Flash for some time to come.
The wording in the title seems to me like calling someone social engineering some passwords a "WIndows security vulnerability" - misleading and inaccurate, at best.
uhuh... (Score:2)
Saw it.
Figured it out in 12 seconds.
Deleted it.
Blacklisted it.
As if CNN got me subscribed somehow, and is using some podunk server in East Gish.
pity da fools that got sucked in.
Pfuh ... Call me when they ported it ... (Score:2)
Call me when they ported it to mac so we can have the same user experience ...
Any project maintainers?
Changing the odds of the spammers' game (Score:2)
We need to change the odds of the spammers' game to make them the losers. My suggestion to make Gmail a very hostile environment for spammers [google.com].
Re: (Score:2, Insightful)
Instead of a nickel, how about giving that kid a CDR of a better OS?
Re: (Score:2)
How would installing a different OS help in any way?
I now, some memes are popular here, but it's getting tiresome.
Short version of the story: users are tricked into installing malicious software.
No vulnerability is exploited; the fact that it's Windows and not Linux-distro-of-the-month is irrelevant (remember, once installed, if the software can read your home directory and send passwords and CC details, it achieved its goal - it may not need full system access). The fact that Flash is involved is irrelevan
Re:WINDOWS ONLY. (Score:4, Interesting)
Here's a nickel, kid. Go get yourself a *real* operating system...
I enjoy playing around with Linux. I have a couple spare partitions on my desktop machine where I'll install an interesting new distro when I have some time (right now I have Kubuntu and WinXP set up as dual-boot), and maybe learn a little something about package management or do some cool things in bash ... whatever, doesn't matter to me ... it's the exploring that's the important thing.
You know what? Every time I read a post like the above, it turns me off Linux just a tiny bit.
Re: (Score:2, Insightful)
If someone saying something like that turns you off of Linux, you can expect to hear a lot more of that from people who don't want you to use Linux.
What in the world some jackass' trite comment has to do with your being "turned on" to Linux is beyond me. Either Linux is potentially valuable to you or it isn't. And the GP didn't even mention Linux.
Stop giving other people so much power over your behavior. You are responsible for your behavior, even if you let other people do your thinking for you.
"I wanted t
Re: (Score:3, Insightful)
Of course you can also run Windows and avoid doing unsafe, stupid things. That usually works.
Since I'm on a 3270 terminal to an OS/390 box the size of your house right now, here's your nickel back, and a check for $50.
Re:WINDOWS ONLY. (Score:4, Insightful)
Is it really? I've owned many Windows computers over the past 20 years and I've never had any problems with security. Well, there was that one floppy in the early 90s I accidentally booted off of...
There's 8 Windows boxes here on my den right now. Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been. None of my Server 2003 colo boxes have ever been compromised either. I'm curious, what do you find difficult about securing Windows?
Re: (Score:2)
Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been.
Prove it.
(Not that I don't believe you...but that's a pretty heavy statement to make.)
Re:WINDOWS ONLY. (Score:5, Insightful)
MyDoom, which holds the record [cnn.com] for fastest-spreading worm ever, did so through email and required significant user action.
Statistically, there are about as many of those as there are normal desktop computer users for the platform, since most of these attacks rely on social engineering (as opposed to actual vulnerabilities) to succeed. So the lack of malware for your platform is not due to its inherent superiority, but to the size of its installed base. Windows may have more attack vectors than Linux or OS X, but that doesn't mean that they can be avoided with $0.05 worth of simple common sense.
No, that's why I asked you the question. It's not at all. If it were, those 100K machine botnets would have 100 million zombies instead, and that's not the case, is it? Or do you figure the malware vendors are just not interested in a potential pool of that size? By most measures there's about a billion computers in the planet running some version of Windows.
Oh, sure. But there's no need to be quippy about it. That happened almost 20 years ago, and it was the first and last time any of my systems were compromised. I guess I'm a good learner.
And by the way, "superior ability" is not needed at all. Just patch your boxes and don't download or run stuff from untrusted sources. That should take care of about 99.99% of all your problems. And that's true of any OS.
More secure, yes. (Score:3, Informative)
But not invincible..
Might as well be (Score:2)
Security is not a binary thing, and no one in their right mind has never claimed it is - beyond misinterpretation of unqualified comments.
50,000:1 in my books means that the 1 is damn nigh invincible. Anything else is academic.
PS: I just got pointed out today how stupid the UAC in Vista is. "A program is attempting to access your computer - cancel/allow?" Um, what kind of program exists that DOESN'T "access my computer"? This question was posed by a complete computer novice, so I'm not even speaking on a te
Re: (Score:2)
Don't forget not all infections come from direct user interaction.
Sure, its the majority since people are stupid, but there are self replicating/spreading worms out there.
Re: (Score:2)
With Linux making some small inroads on the desktop, (http://linux.slashdot.org/article.pl?sid=08/08/05/2310205 [slashdot.org] http://linux.slashdot.org/article.pl?sid=08/08/04/2140203 [slashdot.org] ) it's going to become a worthwhile target for malware soon. I suspect we're going to find out just how secure it is. Fingers crossed...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:snooze (Score:5, Insightful)
It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.
PEBKAC- Problem Exists Between Keyboard and Chair.
There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name, or even a theoretically perfect operating system were one to be invented.
Programs the user executes run in the user's security context. If you can trick the user, you can do whatever the user can do, or in this case, install malicious software.
Re:snooze (Score:4, Insightful)
It's hard to write a trojan that runs on multiple operating systems. They would need to write multiplatform trojans, and for now only Windows has the dominance to ensure profitability.
Not that it isn't possible; Adobe after all has Flash for both Mac and Windows PCs.
Re:snooze (Score:5, Insightful)
Of course that's true in general (Java, perhaps?) but that's not really the issue, although it is an argument for systems diversity in general as opposed to any kind of monoculture.
The issue is that users are stupid. They will remain stupid regardless of what kind of operating system you plunk them in front of, and for my money I'd much rather Microsoft (or antivirus vendors or whomever else) spend their time working to fix actual holes- security flaws that can be exploited without exploiting the vulnerability of the user's stupidity.
Because, to be honest, the security flaw that is the user's intelligence or lack thereof is not something that Microsoft can, or should, fix.
Re: (Score:2)
I suspect it should be possible to create a sandbox within a system that limits the capabilities of userland apps.
In other words instead of a UAC system you have a sandbox where user installed apps live and cannot get out of and the system can monitor these apps and their behaviors for maliciousness.
Re: (Score:3, Insightful)
Sure you could. Some of us do that right now- I have a VM running with a bare-bones Windows XP installation for IE and Firefox.
But this suffers problems. Namely, that if anything from the sandbox can't get out and harm the main system, you... can't get anything out of the sandbox.
The problem, as I said, is that programs run in the user's security context. It's perfectly possible to limit the capability of userland applications, but this does little good from a user's perspective; the user's data also reside
Re: (Score:2)
That's also nearly irrelevant, because what scammers want these days is either your user data (either by reading files or just getting you to type it in) or to use your bandwidth for spamming. Damaging user data is a rare and minor concern these days.
Of course they do need to be able to write exes (etc) to the system. But it doesnt help that a correct copy is still archived away - the new bad one is already running.
Re: (Score:2)
Re: (Score:2)
Re:Nope. Package Management Stops This. (Score:4, Insightful)
So where do Apple users get their Flash updates from then?
Re: (Score:2)
So where do Apple users get their Flash updates from then?
I think they're bundled with Safari, thus the updates would come from the Mac OS X "Software Update" tool.
Re: (Score:2)
That is true, although now that I think about it, most of the third-party Mac OS X applications I use (including Perian but not Flip4Mac) are very good about checking for updates automatically, thus there's at least a tiny shred of hope that the user of such an application wouldn't be suckered in by this "plug-in is out of date; download this new one" trick.
That being said, I am fully aware that Apple users are just as vulnerable to social engineering as their PC counterparts.
And as long as we're on the sub
Re: (Score:2)
The problem is that 'places people can trust' often don't release the software and media that people want to run or view.
Microsoft is not going to release today's latest screener movies via BitTorrent, and Debian is not going to add "Asian Teen Whores IV" to its download repositories.
Your solution is great for OS upgrades, and some applications and their updates, but it certainly doesn't work everywhere.
Re: (Score:2)
RPM is much better!
Re: (Score:3, Funny)
Mac OS X.
Running on an iPhone.
A non-3G iPhone.
SELinux (Score:2)
Not if you are using SELinux that is properly configured, in which case the access controls are set at the level of the applications security context.
Not saying that it's perfect, but it would help and I'm sure that is where most OS's are going to head in the future.
Re: (Score:3, Insightful)
But who sets the application's security context? The user, of course.
(You might argue the administrator sets the security context of the application, and that would be correct; but in this case, the administrator and the user are one and the same.
I realize there exists a separate paradigm where you have a competent administrator sitting on top of an incompetent user and basically 'screening' what happens- in that case, indeed, the 'user' we are referring to is competent and therefore able to provide the sec
PEBKAW3C (Score:2)
I might just be on a hobbyhorse here, but it seems like a proper HTML5 standard with a -video- tag and a recommended codec would put a stop to all this "Download the latest executable thingamajig to view the media on this site"
(if you hadn't heard, this was tried, and any DRM-incompatible codec was called a "non-starter" by the "content industry")
Re: (Score:2)
I think that would require people to actually know what the hell the HTML5 standard is and what its video tag would be.
Such a system wouldn't put a stop to anything- and nor, quite frankly, would one expect it to; just because there is a standard does not mean that disobedience to the dictates of such standard implies a lack of security.
Re: (Score:2)
"Your browser does not support HTML5.1 video codec. Click here to download an update."
Re:snooze (Score:5, Interesting)
It's not a Windows problem nor is it a user problem. BTU (blame the user) is easy to toss around for us geeks, but it really masks the true issue here.
That is, user have be trained to install browser plugins by content providers. These so-called content providers only want to control their content, it's inconsequential to them that they're also exerting control over their viewers. It's also ironic that the mindless stride to control viewers has led that control into the hands of even more dishonest criminals.
In a sense most content provider plugins are trojans themselves. That is, they tell the user they'll provide the ability to view their content, but what they really do is take functionality out of the software and take control away from the user.
This trojan is possible because installing a trojan is an accepted Internet practice. Quick raise you hand if you have RealPlayer installed. Ideally a browser is all anyone needs to view the web, but at some point during commercialization of the Internet the community took a step in the wrong direction: Flash, RealPlayer. Barf. Don't you see, the problem is clearly not the users fault.
The problem, in fact, lies with the likes of Adobe, Real and Microsoft for creating stupid crap like Flash, RealPlayer, Silverlight then demanding users install these without thought to view content. If there were nice standards that provided the functionality of these plugins in the browser this would be a non-issue -- the trojan would never have been created.
Re: (Score:2)
I'm not sure how you can blame the content providers. I'm trying to come up with an analogy, but I can't- I think your model is that flawed.
The user has a choice. The user is not forced to install browser plugins. Moreover, not all those plugins are harmful; are you arguing that a monopoly is better for users than diversity? Because that appears to be what you're claiming.
Really, I think you've mixed your own ideological struggles with content providers with the technical issue- and the technical issue is t
Re: (Score:2)
I'm not sure how you can blame the content providers.
It's not hard to understand, let me spell it out for you in user-friendly terms. Content providers often require users to install additional software thus the user is not suspicious when a website wants them to install additional software. Simple isn't it.
There is even terminology in psychology for this, it's called: positive reinforcement. That is the user is used to installing additional software without negative consequence thus they are likely to install more additional software without thought. Aft
Re: (Score:2)
Blame implies they are guilty of some misdeed. They are not.
They have no responsibility for the user's lack of competence, and positive reinforcement is no excuse.
That would be appropriate if, in fact, they were reinforcing the fact that the user should do something wrong, but that is not the case.
Re: (Score:2)
You got +5 way to go, you must be right. *in caveman voice* User dumb, me omniscient. *end caveman voice* Enjoy the bliss.
Re: (Score:2)
There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name,
Well, the enormous hassle involved in getting software outside of a repository installed on a Linux system would leave it quite hardened against this kind of attack.
getting software outside of a repository installed (Score:2)
Like clicking on a .deb package, [entering password,] and letting gdebi install it?
It would be fairly obvious on unix... (Score:2)
... if malicious software was starting up when you log in - something having modified your .profile, .bashrc , whatever. Also it would be dead easy to remove. Not so with windows which generally takes an age to log in anyway so you probably wouldn't even notice a few extra seconds, and the places where a user space trojan initiator script can hide are so varied.
Yes under unix a user space process could fork off a daemon which remains running after you log out but once discovered running its easily killed an
Re: (Score:2)
Also know as "A Layer 8 Issue"
Re: (Score:2)
If that is the case, then how do you change Windows to defend the user?
If, in fact, the problem is with Windows, then obviously there is something Microsoft can fix to-
Oh, wait, no. They can't. The operating system is not doing anything wrong.
Re: (Score:3, Interesting)